dcrat | ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe
Size

1.3MB
MD5

3006f561d7afc62c236edd2d928d09a6
SHA1

a8b358e87bc77d44ecd4e398ef18fc893329bba7
SHA256

ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c
SHA512

657e323eb662054c9372f77d32ff4434b68616b9baa4d2c75a6d5f44f97f7bf34fbcf709c2f2e134cab46438b0f40e5f10ec09f8fabe96e2235a45fa22624ace
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2920	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d21-9.dat	dcrat
behavioral1/memory/2724-13-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/752-68-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2904-602-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1420-662-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/3028-723-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
1636	powershell.exe
2532	powershell.exe
3032	powershell.exe
1924	powershell.exe
1576	powershell.exe
2712	powershell.exe
1652	powershell.exe
2528	powershell.exe
2536	powershell.exe
2264	powershell.exe
2184	powershell.exe
2524	powershell.exe
2584	powershell.exe
2056	powershell.exe
1660	powershell.exe
1520	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	DllCommonsvc.exe
752	audiodg.exe
2704	audiodg.exe
2192	audiodg.exe
1416	audiodg.exe
1620	audiodg.exe
2868	audiodg.exe
2636	audiodg.exe
820	audiodg.exe
2904	audiodg.exe
1420	audiodg.exe
3028	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
1888	cmd.exe
1888	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Java\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Java\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\lsm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\MSBuild\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1092	schtasks.exe
1684	schtasks.exe
688	schtasks.exe
2416	schtasks.exe
1736	schtasks.exe
1572	schtasks.exe
2268	schtasks.exe
2148	schtasks.exe
984	schtasks.exe
108	schtasks.exe
1632	schtasks.exe
1956	schtasks.exe
872	schtasks.exe
2796	schtasks.exe
3028	schtasks.exe
2976	schtasks.exe
1544	schtasks.exe
1920	schtasks.exe
2792	schtasks.exe
2152	schtasks.exe
2192	schtasks.exe
2872	schtasks.exe
912	schtasks.exe
1408	schtasks.exe
2312	schtasks.exe
772	schtasks.exe
2784	schtasks.exe
2788	schtasks.exe
1436	schtasks.exe
1768	schtasks.exe
612	schtasks.exe
1716	schtasks.exe
1376	schtasks.exe
2080	schtasks.exe
2664	schtasks.exe
1640	schtasks.exe
2112	schtasks.exe
2168	schtasks.exe
264	schtasks.exe
2164	schtasks.exe
1884	schtasks.exe
1620	schtasks.exe
2868	schtasks.exe
1452	schtasks.exe
840	schtasks.exe
2484	schtasks.exe
1708	schtasks.exe
1564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2724	DllCommonsvc.exe
2536	powershell.exe
2264	powershell.exe
1576	powershell.exe
2532	powershell.exe
752	audiodg.exe
2528	powershell.exe
1520	powershell.exe
2056	powershell.exe
1924	powershell.exe
3032	powershell.exe
2584	powershell.exe
1652	powershell.exe
1660	powershell.exe
1636	powershell.exe
2712	powershell.exe
2184	powershell.exe
2052	powershell.exe
2524	powershell.exe
2704	audiodg.exe
2192	audiodg.exe
1416	audiodg.exe
1620	audiodg.exe
2868	audiodg.exe
2636	audiodg.exe
820	audiodg.exe
2904	audiodg.exe
1420	audiodg.exe
3028	audiodg.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	752	audiodg.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2704	audiodg.exe
Token: SeDebugPrivilege	2192	audiodg.exe
Token: SeDebugPrivilege	1416	audiodg.exe
Token: SeDebugPrivilege	1620	audiodg.exe
Token: SeDebugPrivilege	2868	audiodg.exe
Token: SeDebugPrivilege	2636	audiodg.exe
Token: SeDebugPrivilege	820	audiodg.exe
Token: SeDebugPrivilege	2904	audiodg.exe
Token: SeDebugPrivilege	1420	audiodg.exe
Token: SeDebugPrivilege	3028	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2384	2352	JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe	30
PID 2352 wrote to memory of 2384	2352	JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe	30
PID 2352 wrote to memory of 2384	2352	JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe	30
PID 2352 wrote to memory of 2384	2352	JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe	30
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 2724 wrote to memory of 2264	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 2264	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 2264	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 1520	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 1520	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 1520	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 2532	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 2532	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 2532	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 1636	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 1636	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 1636	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 1924	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 1924	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 1924	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 1660	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1660	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1660	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 2536	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 2536	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 2536	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 2056	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2056	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2056	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2528	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 2528	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 2528	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 2584	2724	DllCommonsvc.exe	95
PID 2724 wrote to memory of 2584	2724	DllCommonsvc.exe	95
PID 2724 wrote to memory of 2584	2724	DllCommonsvc.exe	95
PID 2724 wrote to memory of 2524	2724	DllCommonsvc.exe	96
PID 2724 wrote to memory of 2524	2724	DllCommonsvc.exe	96
PID 2724 wrote to memory of 2524	2724	DllCommonsvc.exe	96
PID 2724 wrote to memory of 1652	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 1652	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 1652	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 2052	2724	DllCommonsvc.exe	98
PID 2724 wrote to memory of 2052	2724	DllCommonsvc.exe	98
PID 2724 wrote to memory of 2052	2724	DllCommonsvc.exe	98
PID 2724 wrote to memory of 2712	2724	DllCommonsvc.exe	99
PID 2724 wrote to memory of 2712	2724	DllCommonsvc.exe	99
PID 2724 wrote to memory of 2712	2724	DllCommonsvc.exe	99
PID 2724 wrote to memory of 1576	2724	DllCommonsvc.exe	101
PID 2724 wrote to memory of 1576	2724	DllCommonsvc.exe	101
PID 2724 wrote to memory of 1576	2724	DllCommonsvc.exe	101
PID 2724 wrote to memory of 2184	2724	DllCommonsvc.exe	102
PID 2724 wrote to memory of 2184	2724	DllCommonsvc.exe	102
PID 2724 wrote to memory of 2184	2724	DllCommonsvc.exe	102
PID 2724 wrote to memory of 752	2724	DllCommonsvc.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff34d8899ee90bfe5e4c12696a800477b99a3be0a14f06d001bc5f17a0cb9c8c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        6⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:872
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        8⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1904
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        10⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2636
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        12⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2128
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        14⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2288
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        16⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2300
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        18⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2384
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        20⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2548
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        22⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2296
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        24⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2120
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4fdf8cc9c30623ac4a4c715272dde78

SHA1
6029d0400019f1d33f7470bcdaa5691a99ef23c0

SHA256
0d6f3ecf7689ea0bed8b0d9394e7bdb694cc5ef3e6cda525f19fe4a17f4fbe5f

SHA512
f9b7e39b9c8a28fb0127dcbc3afbaabadec3d78c353a79b9ab53e6c41dcc8ced256419b982d9bb153a3a5791be8d71b672446780b8184c2c28727607aba3a482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3b7f50749aa3c65ad5b51e35f0d57d4

SHA1
51f8799b38b27bbf557889b491d95dbd1f887a69

SHA256
bd259fd4b3316364e17e3e8606ff46e0d2d5c42ff092953419d08c4142f709e2

SHA512
8a1e455fb2e946d76ef5fcc3aa19740d02b39109cad1e3f09e115659757856795a8f3a52f4f75d568af35ebe4031d315df9a45f1acda4dd1d15bcba5cb978667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be30837fb2e0eeacca7f5487e8c8686f

SHA1
f2ed06a15ce26b93ecf07a16befe7fe7200ae3f9

SHA256
6ea83eb49ab1dc8efde32332f10e26ccfba9ca7a7e44cc10806a3eb4b3b2478c

SHA512
d352bcd7f78aeee9077100f2300e9c727fa20ed52a2d1d5c45f2b4052702b9c137918e1e3913925ad52c3bbc6e0e91666f085755e31c54758e1ebe502cb06e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86bf00d943b99c35cd25f3ce1141e41b

SHA1
de67c2bb5c003eabd9472d9102b9264ff6ee5227

SHA256
5f5110cc826374bb58aadb5a9c4294ad6328218349c5865934f2900ec8c59088

SHA512
796eb1b5ea8117b2821d7894bd48a1df44f20417f1119a885ea93e0ae1f596141ab849cffc584799f7983d477e3e1f32c4ceefd2d7c26c53611192c6ac6b3915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93eada0225d38654040b369c0f303ce9

SHA1
c468b12499082de691751211e95bc1210fbb7ba4

SHA256
c8cee96917af9debc8f865cca4565c7bacb81ae6d817ddacff7006bac332524e

SHA512
c4e677e1b8d6bf70cec46633069311f4a3035337ff55f4d3e556f52215234e2a22bb106071bd480386500025ab548e9d024f45257f523c48e0aaaf15eb3175e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bf28bb6a86e0b1e9c11538e4700daff

SHA1
26c07889f97ab0fad02e50e5b3ee78f82957b449

SHA256
d1242dd46a9c7bc28b74880026bdeaccfad46c5259c6c7870ee6be510b3af1a3

SHA512
25cf5a2f6deb2a342594bd1900a4efd72b7d5c178759986f9b5326449d55861448f6d9f7833472119386b67532b355c9636641d069294be334403426215c9ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c580286c929f7f111952b6c86a844095

SHA1
159a081a7efcea80dc08523b53695b12a8adb707

SHA256
9112d9966131bcf48d6292b10d3d1f99b34d685c233f09730e3f9df610d4b83a

SHA512
2956996e95f5a896a2e6a094a0c23805b162bf9eb5ae63b5c0a3828612649ef0ec31d4078da30962bbd637b2bfe297902d736395185c940fc7da7ce501283430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74c0a3d7be96162a4b49f564e090b2cb

SHA1
3e5dd9fc050e0ac6bfa47be0f38e58f8982b869d

SHA256
62d90178e0e20ec95d1e5ba5d0876a76caf47afe85a545a1d2a02febe409407a

SHA512
de0d52819fbcd78099ed2ec3359f64a33009302e267c99b236dad271d01c8fbfc394e44c813700a65c23ccea12df472b36952eb8983eacc81996db60718f41aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34e341d2de42fa2f0c8354eb10b91fe1

SHA1
7966cccfc3f0fbdfe3d5703d94c42a72560b8684

SHA256
c6af8403b1c911e18232b3ae1ff1a1ce6bff882ab9b6f235500ec6d85a7480a6

SHA512
dc387ee72f634aaa4be0429e93b428e4ea8b8cfa4045e64b070166c8a8a774469f63fb893c8b1a3405bb9d107abd2fedad24ab3be6a295b93739cdbe758fe16a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ef59fc61e001eb9d2e165a927312a9b

SHA1
87c8a3e42a437b807980c891e30220df5b032041

SHA256
d9cd7547b7bba478c41e9bee76eb01135353c2647e1bd47172d99b73f7606110

SHA512
d77bbf9a6332383f272408b310a71ea19e8f734f6ef0fc15aeb44ce512c0607d1d0ca1044d08cc30f575d9231e99907440a1f7dd73c8ce6f0aaec8086cffaa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
194B

MD5
d239116a64015cbba6b64ebfa1f9875e

SHA1
94c0372e8d74064a2d2567622ce1ebe31c32d401

SHA256
7f625f2ea235d093efb7db3f6090fad0cef8245540831660a55ebd95d7719ab3

SHA512
df82766f42afcb1dc5aed96009035d75cc72cc39bf93ca2a0fb9de3869a5a2fcd312ec0709c3f18f3d4be0c80817dbeeaaf19ea7dd12653849c5225cd6964839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
194B

MD5
47de2be9ba61283045ebb5a324036127

SHA1
f8489ee9f2646bf243c02590f829f0a61a4252e1

SHA256
8b5f88f66addb7fb6072a85c55a0173060f801b3351af313cf384b755ab76c1d

SHA512
ef06f18ca88a08e4e3d27c84a523bc6f4244805095db697c590f8ef824db3a7f4b64b30898036fb6425aedea315c42c1038dd2cd2acf16089b39cf9fadb5c322

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC055.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
194B

MD5
5ebbef3b17b2ed07487ea89e7f5853fa

SHA1
421024cb0272743414c772d5a66ed5e4d99852cf

SHA256
e772d0c21ee6962950e99d11c8be3add696d12863b446e22bf25de7c2dd132b0

SHA512
ebdfd907540bafd011d38d4851753116389803a001f749710076460ad9fdeb97cc79d2030f46364f281aeeeb844ce5bfc465dc6aac8fd3560ac5a9ebf1861efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
194B

MD5
8250ed24e0c75c7d82c7a28695b24d33

SHA1
b7ef459e6a50135c5121e651fe69ac01e65ce09a

SHA256
af57e5083f548dce8fc29ec5803bc547a568c8d7923cf289ad2699e15433aa4b

SHA512
0ede0307938a90a04f28425e413a9b05aec63b30d0db6f17c11661ba6dd02d000015a08a8bcfc9f163c8a44a2034c61de10aa7dfd74ed2c88ef49409f13d19b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
194B

MD5
49443d544745de51b72bd85c35867138

SHA1
c016c7972e438420c00fc75f17222a30b0246473

SHA256
edd869b0b530da5aa664270587caa5ae234ddd428e437055fd5f2f34a86bc2fd

SHA512
5a115cf9d336f0505f6aadcb6b4bf2b6a01ea3046755ea67339ceca65bccad8bcea91a62fe302496699269f29972cf9aa3708a32ac330ffc43e11a9fbe23cae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
194B

MD5
cf9b2b7831a36c39a9fcdb23d518f9a8

SHA1
303610f5321df13bfa2dffb7194d143a2f1a53e6

SHA256
b8ca34320a6aaf61a73aa4921b5557da9e740e6d8d24162bf55f99398c76a16e

SHA512
917f58569ead55cc08f4f2906d2a5ebe0558b29973598f1f92a234066ec0e6d4e60c6a539653e36cd093acd4d337d70637d18ad9d53f1d09326c52a8d8148ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC086.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
194B

MD5
da4c24ff2f470635dcd39b2966c4ce01

SHA1
77e9d13dc9fa458a64438e56dabc1d112b73c7b1

SHA256
917c0f30655915e01eeecbd6ca888e7ad3e73abcb4f10bcaae781b6f595c05f3

SHA512
794be697d18de43b779c1849e5b80e7fcbb36d8b59712ae5bf3b475aaccdb0f4d3bff5f5d4a7b2303008c2313f540bc7ffc2246ff3b0afa89c8cdf5619dc1125

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
194B

MD5
4a570a52b4e631455f4e870459a7e561

SHA1
4a08920cc932115ca0bfd1376ad320f1ec497fb3

SHA256
5bf42e09fa38755decefe2eab948253997a9399afdc36c49c2786669a026f360

SHA512
75cdb2eec833d948478e18f3cc6bb47f40a6072e642f16c3c50c2a48644cd75339161164a5959caa10c4c089f44f2368ff700c7b3a1a21b9b4ad86299a74fb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
194B

MD5
60a714768e24b88c745879e93ce66e05

SHA1
4a54c6c2401d18713b810344b22614c414351fa4

SHA256
2a6cdca1df6a0c9bf701dae901c3cee7c4a6553a836363aa90785f11323b4298

SHA512
1c187cfe2f22949e754dd7d9f7a877517c59cae3ce0b5e11fa0cc2dfba287d8addb35c83d1edb08ffd73965ed2efa3d5f2f458f5856d272eee84e1759085e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
194B

MD5
1fd0e5efaed761f437ed9c31eb3cdd9c

SHA1
c185f4bcf0b768794f2bbe24f6376b32f5181898

SHA256
0958b4285b535b22442f3219da321d901d9552c38d6b2d836e881bf3e99dad80

SHA512
065b92dc4af499f5440e6c6e61bcf6f0d0e20f4beceb5534337a519b889c245aaa581ad7c8e70c49902c3b650551d3cf32804176e1a1c8a182dc5925c397b1f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63b0347b1a2f371a9cd83edd2ca23e35

SHA1
7479f30d57cddf506056fe381e23cff08feb4227

SHA256
f08f4e821dee73228bd97bff6136d60c94395c6b74cd4a93936cb2aa1bf0391a

SHA512
def5fdb713e9d573f8576fa02afc6244923085e1b1beea015eed559f0e998b39986c3218447130b2f57d93a5acf13c6c15989033498c9e462d1eef4cef19d69a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/752-68-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/1420-663-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1420-662-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2192-246-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2536-64-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2536-65-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2724-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2724-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2724-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2724-13-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2868-424-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2904-602-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/3028-723-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/3028-724-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download